Ransomware - how to stop it Ransomware has affected all types of public and private organizations including US state and Local government, healthcare providers, large international enterprises and even managed IT service providers. Will this scourge stop anytime soon? Probably not. As Willie Sutton is claimed to have said when asked why he robs banks, “That’s where the money is”. As long as attackers can relatively easily perform successful ransomware attacks and get paid, these attacks will likely continue. The important thing to know is that these attacks can almost all be pre- vented. Not by putting the perpetrators in jail, like Willie Sutton, but by implementing cyber defense best practices, such as those recommended by the Center for Internet Security (CIS).1 Belarc’s products can help orga- 1 Center for Internet Security (CIS) Basic Controls. We like the CIS con- trols because they are based on lessons learned from actual attacks and breaches and are created by people from multiple industries and gov- ernment, including the NSA and DHS, who have deep knowledge of all aspects of cyber security. 1 Impact nizations of any size implement the CIS Top 5 controls in an automated and cost effective way.2 Impact The impact that ransomware has had on organizations of all sizes over just the past few years is astonishing. Here are a few examples: U.S. state and local At least 170 U.S. state and local organizations have been successfully government attacked by ransomware since 2013, with the most occurring in the past few years. See chart below.3 Some of these attacks have been quite expensive in time and money and the negative impacts on government operations and services to its citi- zens. Well published examples include attacks on the following: 2 Our Oakland County, MI customer has stated that Belarc’s system helped them prevent successful ransomware attacks over the past few years. 3 “Early Findings: Review of State and Local Government Ransomware Attacks”, Recorded Future, April 2019 2 Ransomware - how to stop it Impact • Atlanta, GA, where the ransomware attack affected almost all of the city’s agencies and cost the city an estimated $17 million in direct costs.4 • Baltimore, MD, where the city’s payment and email services were off- line for two months. • Riviera Beach, FL, where emergency response systems and email were down and the town decided to pay a ransom of $600,000.5 As cities and state agencies continue to offer more digital services, the impact of a successful ransomware attack will become ever more devas- tating to them and their citizens. Healthcare Healthcare has also been a target for ransomware maybe because of the need to bring critical systems back on-line quickly. Some examples of healthcare organizations being negatively impacted by ransomware are: • The U.K. National Health Service (NHS), which was impacted by the 2017 WannaCry outbreak and brought hundreds of NHS facilities to a standstill for several days. • Erie County Medical Center, NY, which lost access to thousands of its computers for many weeks and the recovery process cost $10 million. • Reckitt Benckiser, the owner of brands such as Air Wick, Calgon, Dettol, Durex and many others, announced that the NotPetya ransomware cost it $140 million.6 World-wide enterprises Even large world-wide enterprises are not immune to ransomware breaches. Some notable examples are: • Maersk, the world’s largest container ship and supply vessel operator, suffered $300 million of business operations losses.7 4 U.S. CITIES ARE UNDER ATTACK FROM RANSOMWARE — AND IT’S GOING TO GET MUCH WORSE, Vice News, June 17, 2019 5 Florida town pays $600,000 virus ransom, BBC Technology, 21 June 2019 6 Understanding the true, hidden costs of ransomware attacks on the business, Acronis. Ransomware - how to stop it 3 The How and Why of Ransomware • Renault and Nissan were forced to idle plants in France, Slovenia, Romania after the WannaCry epidemic. • Norsk Hydro, one of the largest aluminium producers, was successfully attacked by ransomware that impacted both its IT and OT (operational technology) systems, affected 22,000 computers, and has taken months to recover at a cost of at least $57 million in lost revenue.8 • Wloters Kluwer was impacted by ransomware in early May 2019 and it’s CCH unit which provides software and services for accounting, tax and audit was off-line for days. The company has not disclosed the costs of this disruption.9 Managed Service MSPs, who offer IT services to their customers, are being compromised so Providers (MSPs) that the attackers can plant ransomware on their customers’ computers. MSPs have the ability to update software on their customers’ machines and apparently the attackers are compromising these management sys- tems to plant ransomware on the MSPs customers’ systems. This is a pretty scary scenario, because even if the end user is doing all the rights things to prevent a ransomware attack, if their MSP’s system is compro- mised they can be also.10 The How and Why of Ransomware We’ve already explained why ransomware happens. As in Willie Sutton’s quote, it’s where the money is. Ransomware is about earning money for the attackers. It is not done for espionage or data exfiltration purposes. Studies of Bitcoin transactions show that ransomware payments made to attackers have been at least $100 million (2013-2017)11 and growing. 7 Understanding the true, hidden costs of ransomware attacks on the business, Acronis 8 How a ransomware attack cost one firm £45m, BBC News, 25 June 2019 9 Information Services Giant Wolters Kluwer Hit by Malware Attack, Secu- rityWeek, May 09, 2019 10 Customers of 3 MSPs Hit in Ransomware Attacks, DarkReading, 6/20/ 2109 11 On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective, Aug 2018, Table I. 4 Ransomware - how to stop it The How and Why of Ransomware These are just the payments made to the attackers. It’s even more expen- sive to recover lost computer systems, and to try and maintain services and product deliveries to your customers while those systems are being recovered. In fact it was discovered that some ransomware recovery ser- vices secretly pay the ransomware to get their customers’ systems back up and running.12 These numbers show that unless ransomware attacks become more diffi- cult and expensive to implement, they will continue and likely grow over the coming years. See more on this topic under “How to stop ransom- ware” below. How ransomware In order to effectively stop ransomware breaches we need to know how breaches occur they occur. We will focus on the initial attack vectors, because today that is the only proven way to stop these breaches. Ransomware breaches have used the following attack vectors: • Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS) is used to infect un-patched servers and workstations. Un-patched Inter- net facing servers and desktops are particularly vulnerable to this attack because no user interaction is required to infect the computer. This attack vector was used in the 2017 WannaCry attacks. Recently Microsoft released security updates to prevent a similar vulnerability from being used in new attacks.13 • Email attachments are used to install ransomware on the recipient’s machine or more likely to use the infected machine to gain access to the network and servers by escalating user privileges and dropping ran- somware on servers with critical data. These attachments can contain malware that targets un-patched applications or operating systems. The attachments can also target Microsoft Macros.14 15 • Drive-by websites contain exploit kits with multiple malware options that can infect a visitor’s web browser or plug-ins without any action by 12 Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers, ProPublica, May 15, 2019 13 Prevent a worm by updating Remote Desktop Services (CVE-2019- 0708), Microsoft, May 14, 2019 14 Macro malware, Microsoft 5/31/2019 15 Exploits and exploit kits, Microsoft, 5/31/2019 Ransomware - how to stop it 5 How to stop ransomware the visitor. The website can be legitimate without the owners knowing that it has been compromised or one specifically crafted by the attack- ers to impersonate a legitimate website. The malware exploits target un-patched software such as Web browsers, and plug-ins such as Adobe Flash Player, Oracle Java, etc. Malvertising, is a modification on drive-by attacks. This is where mal- ware is delivered by online ads, via advertising networks, on legitimate websites and infects visitors with vulnerable Web browsers or other vulnerable Web software. Typically no user interaction is required to infect their computer. 16 How to stop ransomware Based on the ransomware attack vectors described above, the following controls should be used to stop these attacks from becoming successful breaches: • Keep operating systems and applications, including Web browsers and plug-ins, up to date with the latest security updates. There is no indica- tion that any ransomware attack has used a so-called zero day vulnera- bility, so patching for known vulnerabilities is sufficient.17 • Remove all end of life (EOL) software and replace with supported ver- sions. • Limit the use of administrative privileges. • Use secure configurations such as those offered by the Center for Inter- net Security (CIS)18 or software vendors such as Microsoft19 and Red Hat20. 16 Malvertising, Center for Internet Security. 17 A zero day vulnerability is one with no security update or other mitigation to stop an attack using this vulnerability. This is not to be confused with a virus for which anti-virus software does not yet have a signature.